English
Continue in the app

ArcGIS Server Log4j Patch

Summary

This security patch addresses multiple security vulnerabilities found in log4j distributed with ArcGIS Server. Esri recommends that all customers using ArcGIS Server 10.8.1 apply this patch.

Description

Important Note April 11, 2022: New patches have been released to prevent BUG-000148146 on some AWS (Amazon Web Services) deployments. The B patches will install over the top of the original patches if you have already installed the originals. If you did install the original patches, please see the tech article to ensure your system will not encounter a possible problem where ArcGIS Server machines are removed from a site after a machine restart. If you did not previously install the original patches and are only applying the "B" version, the issue should not exhibit itself.

Important Note April 7, 2022: An issue has been identified with ArcGIS Server Log4j Patch for versions 10.8.1, 10.9 and 10.9.1 limited to some AWS (Amazon Web Services) deployments. Please do not install the ArcGIS Server Log4j Patch for versions 10.8.1, 10.9 and 10.9.1 on your AWS deployment. A revised patch with the necessary corrections will be released soon. If you have already successfully deployed the patch on your AWS deployment, no uninstall of the patch is necessary and your systems are fully protected however, please follow the steps outlined in this tech article to ensure your system will not encounter a possible problem where ArcGIS Server machines are removed from a site after a machine restart. Further details of the possible problem under can be found in BUG-000148146.

Esri® announces the ArcGIS Server Log4j Patch. Esri recommends that all customers using ArcGIS Server 10.8.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.


Issues Addressed with this patch



To avoid conflicts on 10.8.1 this patch also addresses:
  • BUG-000145107 - Unable to access secure services in Portal for ArcGIS 10.8.1 when using a token generated using application credentials.
  • BUG-000144252 - Hosted Feature Service Views with Query Top Features (Top Filter parameter) definition ignore Object IDs in a GET Request query.
  • BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
  • BUG-000142180 - Hosted feature services vulnerable to XSS.
  • BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
  • BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.
  • BUG-000138234 - The WebGIS DR backup fails when attempting to create a service.
  • BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
  • BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
  • BUG-000137662 - Reflected XSS in ArcGIS Server
  • BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
  • BUG-000135919 - When the ArcGIS Server site import fails when using the DR tool, the site is not returned to a functional state.
  • BUG-000135918 - Importing an ArcGIS Server site using the DR tool may fail sporadically.
  • BUG-000135563 - If the field name is named with multibyte strings, using the WHERE clause as the query operation with the field fails.
  • BUG-000134113 - Only update service iteminfo when the Item Description fields are purposefully edited within Server Manager.
  • BUG-000133232 - Add support in ArcGIS Server to ensure ArcGIS Enterprise portal members with custom roles are able to delete their own services when the role includes administrative privileges such as 'View all members' and publisher privileges.
  • BUG-000132999 - In a multi-machine ArcGIS Server site, the restore process may not successfully unregister, and re-register the additional nodes.
  • BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
  • BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.

Installing this patch on Windows


Installation Steps:


The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS Enterprise 10.8.1  
       
    ArcGIS Server ArcGIS-1081-S-Log4j-PatchB.msp
         Checksum
         (SHA256)
    9E81CFFEB0AA9A063E7ACAA8EBE7D9F377EE7C8567DDB201C37B283560312CF6
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-1081-S-Log4j-PatchB.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:


    msiexec.exe /p [location of Patch]\ArcGIS-1081-S-Log4j-PatchB.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise 10.8.1  
       
    ArcGIS Server ArcGIS-1081-S-Log4j-PatchB-linux.tar
         Checksum
         (SHA256)
    858EACA5F36C6361C3F0073D62F8A47CAAE2E1A28DC57DD9490A33B9138A17BE
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:


    % tar -xvf ArcGIS-1081-S-Log4j-PatchB-linux.tar

  4. Start the installation by typing:


    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.


Upgrade a geodatabase

When a hotfix or patch for ArcGIS has been applied, it may also be necessary to upgrade your geodatabase. See the Upgrade the Geodatabase section on the Geodatabase management page for your individual DBMS platform for more information.


Uninstalling this patch on Windows


    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


    To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:


    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

    Restart your ArcGIS services

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

Important Note April 11, 2022: New patches have been released to prevent BUG-000148146 on some AWS (Amazon Web Services) deployments. The B patches will install over the top of the original patches if you have already installed the originals. If you did install the original patches, please see the tech article to ensure your system will not encounter a possible problem where ArcGIS Server machines are removed from a site after a machine restart. If you did not previously install the original patches and are only applying the "B" version, the issue should not exhibit itself.

April 7, 2022: An issue has been identified with ArcGIS Server Log4j Patch for versions 10.8.1, 10.9 and 10.9.1 limited to some AWS (Amazon Web Services) deployments. Please do not install the ArcGIS Server Log4j Patch for versions 10.8.1, 10.9 and 10.9.1 on your AWS deployment. A revised patch with the necessary corrections will be released soon. If you have already successfully deployed the patch on your AWS deployment, no uninstall of the patch is necessary and your systems are fully protected however, please follow the steps outlined in this tech article to ensure your system will not encounter a possible problem where ArcGIS Server machines are removed from a site after a machine restart. Further details of the possible problem under can be found in BUG-000148146.

March 31, 2022: An issue has been identified with ArcGIS Server Log4j Patch for versions 10.8.1, 10.9 and 10.9.1 limited to some AWS (Amazon Web Services) deployments. Please do not install the ArcGIS Server Log4j Patch for versions 10.8.1, 10.9 and 10.9.1 on your AWS deployment. A revised patch with the necessary corrections will be released soon. If you have already successfully deployed the patch on your AWS deployment, no uninstall of the patch is necessary and your systems are fully protected. Further details of the problem under investigation can be found in BUG-000148146.

March 31, 2022: Corrected list of accumulated issues.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.